Cyber Hygiene is the Key to CMMC Compliance Preparedness

Khakimullin Aleksandr/Shutterstock.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
By Ralph Kahn,
Vice President of Federal. Tanium

By Ralph Kahn

|

The challenge is that many contractors don’t have full visibility into their organization’s network and security.

Across all sectors, theft of intellectual property and sensitive information due to malicious cybercriminals threatens economic and national security. There are a number of initiatives aimed at simplifying and standardizing IT risk management, all with the same goal: stronger, more streamlined and more consistent cyber risk management to help keep federal systems and data secure.  To achieve this, IT decision-makers must first determine what is on the network, and in order to do that, they need reliable data and improved real-time visibility.

The Defense Department’s Cybersecurity Maturity Model Certification, or CMMC, auditing process aims to create consistent cybersecurity practices for contractors that do business with the federal government—and protect the defense supply chain from security breaches.

Defense contractors will be required to prove they have—and they are using—the mandatory cyber practices to achieve each level of cyber maturity.

Cyber Hygiene Challenges

To prepare for compliance, contractors need a formalized approach to cybersecurity, as they will be required to demonstrate their cyber hygiene to the CMMC Controlled Third Party Assessment Organization (C3PAO) accreditors.

The challenge is that many contractors don’t have full visibility into their organization’s network and security, which leaves their networks—along with DOD networks—vulnerable to attacks. They need complete, continuous threat monitoring and visibility into all assets on the network—an increasingly complex goal in the internet of things, bring-your-own-device, and work-from-home world. 

As contractors work to address individual cybersecurity vulnerabilities, most have implemented a complex patchwork of point products that don’t integrate, are difficult to manage and keep patched, and can’t give the IT leadership team a full view of the threats. If contractors continue to install different point products to resolve each individual problem, they will continue to increase complexity, cost and risk. And, they won’t achieve the visibility needed to manage risk and meet CMMC requirements. 

Preparing for CMMC Implementation

Contractors need the capability to track and report network security status aligned with requirements in real time. This means identifying risks and vulnerabilities as well as prioritizing them across the networks, and the ability to respond and remediate when needed. Contractors should consider a holistic approach that integrates IT operations and security. IT leaders need a platform—a single pane of glass view—to understand their environment. This platform must provide the capability to integrate endpoint management and security (i.e., gather data from all endpoints, make needed updates, and gain the ability to reduce risk in real time). 

CMMC compliance can be accelerated by addressing use-cases across the CMMC’s 17 security domains and 43 capability areas ranging from basic IT hygiene to advanced persistent threat hunting. A solution that helps to achieve many of the CMMC’s targets by mapping to key capability requirements, facilitating continuous reporting, and supporting progression through the CMMC’s defined maturity tiers is essential.

Technology is constantly evolving, and so are the tactics and approaches of cybercriminals—especially given a newly distributed workforce. When you consider the added layer of BYOD, most personal devices don’t have a protective perimeter, they have the tools the device came with. If these endpoints have periodic connectivity to the agency network, cybercriminals no longer have to penetrate a multi-layered protected perimeter to get into the main server. They can use the unprotected device as an entry point into the network. Defense contractors should leverage a solution that can run discovery and asset tools in their organization’s network, so they can locate and evaluate the unknown devices discovered.

Having a single, unified platform that aligns endpoint management and security, helps contractors compile data from all endpoints. The platform should provide comprehensive threat monitoring with detailed incident analysis so that contractors can identify, isolate and mitigate threats in real-time. This helps simplify management of hybrid environments, gives contractors a better understanding of their environment, and prepares them for future CMMC audits. These steps help the defense community achieve the ultimate goal: stronger resiliency against cyber risks.

The DOD is only as strong as its weakest link—and a healthy central IT infrastructure is critical to identifying, preventing and mitigating cyber risks for every organization. Contractors must start by achieving good cyber hygiene. As they work to stand up a CMMC-compliant IT infrastructure, it’s important to ask the following questions:

  • How many computers do you have on your network? And are they authorized to be there?
  • What applications are installed? And are they all up to date?
  • What are users doing? And is it authorized?
  • How comfortable are you with your patch/vulnerability/risk posture?
  • Have you recently been breached or had an outage that could have been prevented?

Reducing risk at a point in time to achieve CMMC compliance is beneficial to the security posture of both contractors and the DOD—but the real goal is to understand the environment and reduce risks continuously—protecting systems, data, and the mission. 

Ralph Kahn is the vice president of federal for Tanium.

NEXT STORY: Ransomware Criminals Are Targeting U.S. Universities

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.